diff --git a/zaza/charm_tests/vault/tests.py b/zaza/charm_tests/vault/tests.py
index 18d5ff0..2765fad 100644
--- a/zaza/charm_tests/vault/tests.py
+++ b/zaza/charm_tests/vault/tests.py
@@ -4,10 +4,13 @@ import hvac
 import time
 import unittest
 import uuid
+import tempfile
 
+import requests
 import zaza.charm_lifecycle.utils as lifecycle_utils
 import zaza.charm_tests.test_utils as test_utils
 import zaza.charm_tests.vault.utils as vault_utils
+import zaza.utilities.cert
 import zaza.model
 
 
@@ -23,6 +26,48 @@ class VaultTest(unittest.TestCase):
         vault_utils.unseal_all(cls.clients, cls.vault_creds['keys'][0])
         vault_utils.auth_all(cls.clients, cls.vault_creds['root_token'])
 
+    def test_csr(self):
+        vault_actions = zaza.model.get_actions(
+            lifecycle_utils.get_juju_model(),
+            'vault')
+        if 'get-csr' not in vault_actions:
+            raise unittest.SkipTest('Action not defined')
+        action = vault_utils.run_charm_authorize(
+            self.vault_creds['root_token'])
+        action = vault_utils.run_get_csr()
+
+        intermediate_csr = action.data['results']['output']
+        (cakey, cacert) = zaza.utilities.cert.generate_cert(
+            'DivineAuthority',
+            generate_ca=True)
+        intermediate_cert = zaza.utilities.cert.sign_csr(
+            intermediate_csr,
+            cakey.decode(),
+            cacert.decode(),
+            generate_ca=True)
+        action = vault_utils.run_upload_signed_csr(
+            pem=intermediate_cert,
+            root_ca=cacert,
+            allowed_domains='openstack.local')
+
+        test_config = lifecycle_utils.get_charm_config()
+        del test_config['target_deploy_status']['vault']
+        zaza.model.block_until_file_has_contents(
+            lifecycle_utils.get_juju_model(),
+            'keystone',
+            '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
+            cacert.decode().strip())
+        zaza.model.wait_for_application_states(
+            lifecycle_utils.get_juju_model(),
+            test_config.get('target_deploy_status', {}))
+        ip = zaza.model.get_app_ips(
+            lifecycle_utils.get_juju_model(),
+            'keystone')[0]
+        with tempfile.NamedTemporaryFile(mode='w') as fp:
+            fp.write(cacert.decode())
+            fp.flush()
+            requests.get('https://{}:5000'.format(ip), verify=fp.name)
+
     def test_all_clients_authenticated(self):
         for client in self.clients:
             for i in range(1, 10):
diff --git a/zaza/charm_tests/vault/utils.py b/zaza/charm_tests/vault/utils.py
index 7822149..4b1fc8d 100644
--- a/zaza/charm_tests/vault/utils.py
+++ b/zaza/charm_tests/vault/utils.py
@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 
+import base64
 import hvac
 import requests
 import tempfile
@@ -208,3 +209,23 @@ def run_charm_authorize(token):
         'vault',
         'authorize-charm',
         action_params={'token': token})
+
+
+def run_get_csr():
+    return zaza.model.run_action_on_leader(
+        utils.get_juju_model(),
+        'vault',
+        'get-csr',
+        action_params={})
+
+
+def run_upload_signed_csr(pem, root_ca, allowed_domains):
+    return zaza.model.run_action_on_leader(
+        utils.get_juju_model(),
+        'vault',
+        'upload-signed-csr',
+        action_params={
+            'pem': base64.b64encode(pem).decode(),
+            'root-ca': base64.b64encode(root_ca).decode(),
+            'allowed-domains=': allowed_domains,
+            'ttl': '24h'})